CVE-2026-45951 Linux CVE debrief

Who should care

Linux system administrators, kernel maintainers, security teams operating containerized environments with BPF workloads, and organizations relying on eBPF-based observability or security tools

Technical summary

The vulnerability exists in the BPF subsystem's BTF object handling. The `check_pseudo_btf_id()` function had incorrect reference counting logic that could pass a zero-refcount BTF object to `__check_pseudo_btf_id()`, resulting in a use-after-free condition. The fix corrects the refcounting implementation and addresses related code paths. Multiple stable kernel branch commits are provided to address this issue across supported kernel versions.

Defensive priority

high

Recommended defensive actions

• Apply kernel updates containing the referenced stable branch commits when available from your Linux distribution
• Verify kernel version includes fixes for CVE-2026-45951 in BPF subsystem
• Review systems utilizing BPF/BTF functionality for unusual behavior
• Monitor distribution security advisories for kernel package updates
• Consider restricting unprivileged BPF access via `kernel.unprivileged_bpf_disabled` sysctl as a defense-in-depth measure until patches are applied

Evidence notes

The vulnerability description indicates a use-after-free condition in BPF BTF object handling. The fix involved correcting refcounting in `check_pseudo_btf_id()` and `__check_pseudo_btf_id()`. Multiple kernel stable branch commits are referenced, suggesting backports to supported kernel versions. The iterative patch development (v1-v3) indicates careful review of the refcounting fix to avoid introducing memory leaks.

Official resources